mirror of
https://github.com/revanced/Apktool.git
synced 2024-12-05 02:22:55 +01:00
Merge pull request #2072 from iBotPeaches/issue-2058
Prevent directory traversal on asset decoding
This commit is contained in:
commit
f58e043c67
@ -71,6 +71,18 @@ public class UnknownDirectoryTraversalTest extends BaseTest {
|
||||
BrutIO.sanitizeUnknownFile(sTmpDir, "");
|
||||
}
|
||||
|
||||
@Test(expected = TraversalUnknownFileException.class)
|
||||
public void invalidBackwardPathOnWindows() throws IOException, BrutException {
|
||||
String invalidPath;
|
||||
if (! OSDetection.isWindows()) {
|
||||
invalidPath = "../../app";
|
||||
} else {
|
||||
invalidPath = "..\\..\\app.exe";
|
||||
}
|
||||
|
||||
BrutIO.sanitizeUnknownFile(sTmpDir, invalidPath);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void validDirectoryFileTest() throws IOException, BrutException {
|
||||
String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file");
|
||||
|
@ -81,7 +81,8 @@ public class DirUtil {
|
||||
if (fileName.equals("res") && !in.containsFile(fileName)) {
|
||||
return;
|
||||
}
|
||||
File outFile = new File(out, fileName);
|
||||
String cleanedFilename = BrutIO.sanitizeUnknownFile(out, fileName);
|
||||
File outFile = new File(out, cleanedFilename);
|
||||
outFile.getParentFile().mkdirs();
|
||||
BrutIO.copyAndClose(in.getFileInput(fileName),
|
||||
new FileOutputStream(outFile));
|
||||
|
Loading…
Reference in New Issue
Block a user